Windows Remote Desktop Services (Session Host Role)

Version 2

    Windows Remote Desktop Services (Session Host Role)

    This template assesses the status and overall performance of a Microsoft Windows Remote Desktop Services Session Host Role by monitoring RDS services and retrieving information from performance counters and the Windows System Event Log.

    Prerequisites: WMI access to the target server.

    Credentials: Windows Administrator on the target server.

    Note: All Windows Event Log monitors should return zero values. A returned value other than zero indicates an abnormality. Examining the Windows system log files should provide information pertaining to the issue. Detailed information about these events can be found here: http://technet.microsoft.com/en-us/library/ee891242(WS.10).aspx.

    Monitored Components

    Service: Remote Desktop Configuration

    This monitor returns the CPU and memory usage of the Remote Desktop Configuration service. Remote Desktop Configuration Service (RDCS) is responsible for all Remote Desktop Services and Remote Desktop related configuration and session maintenance activities that require system context. These include per-session temporary folders, Remote Desktop themes, and Remote Desktop certificates.

    Service: Remote Desktop Services

    This monitor returns the CPU and memory usage of the Remote Desktop Services. This service allows users to connect interactively to a remote computer. Remote Desktop and Remote Desktop Session Host Server depend on this service. To prevent remote use of this computer, clear the checkboxes on the Remote tab of the System properties control panel item.

    Service: Remote Desktop UserMode Port Redirector

    This monitor returns the CPU and memory usage of the Remote Desktop UserMode Port Redirector service, which allows the redirection of Printers/Drives/Ports for RDP connections

    RDP TCP port availability

    This monitor tests the ability of an RDP service to accept incoming sessions. By default, it monitors TCP port 3389.

    Active Sessions

    This monitor returns the number of active Terminal Services sessions.

    Inactive Sessions

    This monitor returns the number of inactive Terminal Services sessions.

    Total Sessions

    This monitor returns the total number of Terminal services sessions.

    Events: Remote Desktop Services Authentication and Encryption

    This monitor returns the number of events that occur when:

    • The Terminal Server listener is configured with inconsistent authentication and encryption settings;
    • The Terminal Server is configured to use SSL with a user selected certificate, however, no usable certificate was found on the server;
    • The Terminal Server is configured to use a certificate that will expire soon or is expired;
    • The Terminal Server is configured to use a certificate that does not contain an Enhanced Key Usage attribute of Server Authentication;
    • The Terminal Server is configured to use a certificate but is unable to access the private key associated with this certificate;
    • The Terminal Server has failed to create a new, or replace an expired, self-signed certificate to be used for Terminal Server authentication on SSL connections;
    • The Terminal Server authentication certificate configuration data was invalid and the service reset it;
    • The Terminal Server is configured to use a template-based certificate for Transport Layer Security, but the subject name on the certificate is invalid;
    • The Terminal Server cannot install a new template-based certificate to be used for Transport Layer Security;
    • The template-based certificate that is being used by the Terminal Server for Transport Layer Security has expired and cannot be replaced by the Terminal Server;
    • The certificate issued by the Remote Desktop license server to the Remote Desktop Session Host server is not valid.

    Type of event: Error and Warning. Event ID: 1050, 1051, 1052, 1053, 1054, 1055, 1057, 1058, 1059, 1062, 1064, 1065, 1133.

    If the Terminal Server listener is configured with inconsistent authentication and encryption settings, check the Encryption and Authentication settings on the Remote Desktop Session Host server to ensure that they are compatible, and that they are appropriate for your security requirements and the level of security that your client computers can support.

    If the Terminal Server is configured to use SSL with a user selected certificate and cannot find a usable certificate or is unable to access the private key, install a certificate onto the Remote Desktop Session Host server that meets the requirements for an Remote Desktop Session Host server certificate. Configure the Remote Desktop Session Host server to use the certificate for TLS 1.0 (SSL).

    If the Terminal Server certificate or template-based certificate will expire soon or is expired, take the following steps:

    1.     Use Remote Desktop Session Host Configuration to determine which certificate needs to be renewed.

    2.     Renew the certificate being used by the Remote Desktop Session Host server with the same or new key.

    3.     Configure the Remote Desktop Session Host server to use the certificate for TLS 1.0 (SSL).

    If the certificate does not contain an Enhanced Key Usage attribute, confirm that the certificate for the Remote Desktop Session Host server is configured to use TLS 1.0 (SSL) and has the correct Enhanced Key Usage (EKU) value. The certificate must have an Enhanced Key Usage of Server Authentication (1.3.6.1.5.5.7.3.1) or no Enhanced Key Usage at all. If the certificate does not meet these requirements, install an alternate certificate on the Remote Desktop Session Host server that does meet these requirements, and then configure the Remote Desktop Session Host server to use this certificate for TLS 1.0 (SSL).

    If there are problems with the self-signed certificate for Terminal Server authentication on SSL connections, you should increase available memory. One way to increase the amount of available memory is to determine if there are any programs or processes running on the Remote Desktop Session Host server that can be closed. Use Task Manager to determine which processes are using the most memory, and end those processes if possible.

    If the configuration data is not valid, check the certificate store for the certificate that the Remote Desktop Session Host server is configured to use for TLS 1.0 (SSL). Configure the Remote Desktop Session Host server to use the certificate for TLS 1.0 (SSL).

    If Terminal Server is configured to use a template-based certificate for Transport Layer Security and the subject name on the certificate is not valid, you must modify the certificate template that Active Directory Certificate Services (ADCS) uses as the basis for server certificates enrolled to Remote Desktop Session Host servers. The certificate template must be modified so that the alternate subject name for the certificate matches the DNS name of the Remote Desktop Session Host server.

    If the Terminal Server cannot install a new template-based certificate for Transport Layer Security, one or more of the following conditions may apply:

    • The correct certificate template name is not specified in the Group Policy.
    • The permissions on the certificate template do not allow the RD Session Host server to enroll for this type of certificate.
    • The certificate is not valid for the requested usage.
    • The certificate template does not exist.
    • The certificates that are based on the certificate template are not being issued to computers.

    If the Terminal Server is configured to use SSL with a user selected certificate and cannot find a usable certificate, you should install a certificate onto the Remote Desktop Session Host server that meets the requirements for an Remote Desktop Session Host server certificate. Configure the Remote Desktop Session Host server to use the certificate for TLS 1.0 (SSL).

    If the certificate is not valid, you should delete the certificate from the Remote Desktop Session Host server and then restart the Remote Desktop Services service.

    Events: Remote Desktop Services Availability

    This monitor returns the number of events that occur when:

    • The Local Multi-User session manager failed to start;
    • The Remote Desktop Service start failed;
    • The Remote Desktop Service is shut down for an unknown reason;
    • Registering with the Service Control Manager to monitor the Remote Desktop Service status failed;
    • An attempt to send a message to the Windows video subsystem failed.

    Type of event: Warning and Error. Event ID: 16, 17, 18, 19, 20.

    To resolve these issues, you should start the Remote Desktop Services service on the computer. If the problem persists, restart the computer.

    When there is a failed attempt to send messages to the Windows video subsystem, the error code will indicate the issue.

    Events: Remote Desktop Services Client Access License Availability

    This monitor returns the number of events that occur when:

    • The remote desktop client has provided an invalid license;
    • The Remote Desktop Session Host server cannot issue a client license;
    • The remote session could not be established from the remote desktop client because its temporary license has expired;
    • The remote session could not be established from the remote desktop client because its license could not be renewed;
    • The Remote Desktop Session Host server was unable to retrieve users licensing information from the Active Directory;
    • The Remote Desktop Licensing mode has not been configured;
    • The Remote Desktop Licensing grace period has expired and licensing mode for the Remote Desktop Session Host server has not been configured.

    Type of event: Warning and Error. Event ID: 1003, 1004, 1011, 1028, 1043, 1061, 1068, 1069.

    If the remote desktop client provides an invalid license, delete the MSLicensing registry subkey on the client computer, restart the client computer, and then try to connect remotely to the Remote Desktop Session Host server from the client computer. If the issue persists, delete the following: X509 Certificate, X509 Certificate2, and X509 Certificate ID registry entries on the Remote Desktop Session Host server. Next, restart the Remote Desktop Session Host server, and then try again to connect to the Remote Desktop Session Host server from the client computer.

    If the Remote Desktop Session Host server cannot issue a client license, it might be caused by one of the following conditions:

    • The licensing mode for the Remote Desktop Session Host server does not match the type of RDS CALs installed on the license server.
    • The RDP encryption levels on the Remote Desktop Session Host server and the client are not compatible.
    • The certificate on the Remote Desktop Session Host server is corrupt.

    If the temporary license has expired, ensure that the Remote Desktop Session Host server can contact a Remote Desktop license server with a sufficient number of the appropriate type of Remote Desktop Services client access licenses (RDS CALs).

    If the client's license could not be renewed, determine if the Remote Desktop Session Host server can discover a license server.

    If the Remote Desktop Session Host server cannot communicate with the Remote Desktop license server, add the computer account for the Remote Desktop Session Host server to the Terminal Server Computers local group on the Remote Desktop license server.

    If the Remote Desktop Session Host server was unable to retrieve users licensing information from the Active Directory, identify and fix any network connectivity problems between the Remote Desktop Session Host server and the Active Directory domain.

    If there are problems with Remote Desktop licensing mode, specify the Remote Desktop licensing mode on the Remote Desktop Session Host server.

    Events: Remote Desktop Session Host Connections

    This monitor returns the number of events that occur when:

    • The Terminal Server received a large number of incomplete connections;
    • Autoreconnect failed to reconnect the user to the session because authentication failed;
    • The Terminal Server cannot register the "TERMSRV" Service Principal Name;
    • A logon request was denied because the Terminal Server is currently in drain mode;
    • A connection request was denied because the Terminal Server is currently configured to not accept connections;
    • The Remote Desktop Session Host server does not have a Remote Desktop license server specified;
    • The Remote Desktop Session Host server could not contact the Remote Desktop license server.

    Type of event: Warning and Error. Event ID: 1006, 1041, 1067, 1070, 1071, 1130, 1131.

    If the Terminal Server received a large number of incomplete connections, use Remote Desktop Services Manager to check which users are connecting to the Remote Desktop Session Host server. Ensure that there are no suspicious accounts.

    If Autoreconnect failed to reconnect the user, establish a new connection to the Remote Desktop Session Host server by using a Remote Desktop Protocol (RDP) client such as Remote Desktop Connection.

    If the Terminal Server cannot register the "TERMSRV" Service Principal Name, manually register the Service Principal Name (SPN) for the Remote Desktop Session Host server.

    If a logon request was denied because the Terminal Server is currently in drain mode, configure the Remote Desktop Session Host server to allow new user logons by using Remote Desktop Session Host Configuration.

    If the connection request was denied because the terminal server is currently configured to not accept connections, configure the Remote Desktop Session Host server to allow connections by using the chglogon command-line tool.

    If the Remote Desktop Session Host server does not have a Remote Desktop license server specified, specify a Remote Desktop license server on the Remote Desktop Session Host server.

    If the Remote Desktop Session Host server could not contact the Remote Desktop license server, identify and fix any network connectivity problems between the Remote Desktop Session Host server and the Active Directory domain controller.

    Events: Remote Desktop Session Host Listener Availability

    This monitor returns the number of events that occur when:

    • The listener has stopped listening;
    • The listener failed while listening with an error code;
    • The Terminal Server listener stack was down;
    • The Terminal Server session creation failed;
    • The remote control session connection failed.

    Type of event: Error. Event ID: 259, 260, 1035, 1036, 1148.

    If the Listener has stopped listening or the listener stack was down, attempt to restart the listener on the Remote Desktop Session Host server. If restarting the listener is not successful, attempt to increase available system resources, such as memory, on the Remote Desktop Session Host server.

    If the Listener failed while listening with an error code or the Terminal Server session creation failed, this could indicate that another application on the Remote Desktop Session Host server is using the same TCP port as the Remote Desktop Protocol (RDP). The default port assigned to RDP is 3389.

    If the remote control session connection failed, you must ensure that the user account has Remote Control permissions on the Remote Desktop Session Host Listener.

    Events: Remote Desktop Session Host User Configuration

    This monitor returns the number of events that occur when:

    • The Terminal Server Profile path failed to load;
    • The Terminal Services User Home Directory was not set because the path specified does not exist or is not accessible.

    Type of event: Warning and Error. Event ID: 1046, 1060.

    If the Terminal Server Profile path failed to load, specify a new location for the Remote Desktop Services profile path, ensuring that the path does not exceed 256 characters.

    If the Terminal Services User Home Directory was not set because the path specified does not exist or is not accessible, one or more of the following conditions may be the culprit:

    • The Remote Desktop Services home folder name for a user is incorrect.
    • The computer on which the home folder is located is not accessible.
    • The user does not have sufficient permissions to the home folder.

    Events: Remote Desktop IP Virtualization Availability

    This monitor returns the number of events that occur when:

    • An error occurs when the computer tries to start Remote Desktop IP Virtualization;
    • Remote Desktop IP Virtualization detected more than one network adapter;
    • Remote Desktop IP Virtualization could not find the network adapter;
    • Remote Desktop IP Virtualization could not allocate the IP address.

    Type of event: Warning and Error. Event ID: 102, 111, 113, 118.

    If an error occurred when the computer tried to start Remote Desktop IP Virtualization or the network adapter could not be found, or the IP address could not be allocated, ensure that the network adapter used for Remote Desktop IP Virtualization is enabled. Freeing up memory on the Remote Desktop Session Host server may help.

    If Remote Desktop IP Virtualization detected more than one network adapter, you must disable additional network adapters that are installed on the Remote Desktop Session Host server.

     

    Portions of this document were originally created by and are excerpted from the following sources:

    Microsoft Corporation, “Terminal Server Library,” Copyright © 2012 Microsoft Corporation.
    All rights reserved. Available at
    http://technet.microsoft.com/en-us/library/cc727402%28v=ws.10%29.aspx